Within the last 20 years there has been an explosive growth in the United States of America of the use of electronic funds transfers. In particular, there has been widespread growth of transfer of funds in the form of dispensing cash from automatic teller machines (ATM). ATM systems typically provide each customer with a card for operating the machine, which card includes a stripe of high magnetic retentivity material on the back for magnetically encoding data identifying the account and the customer, and the like. Since such cards are physically capable of being stolen and used by others, most ATM cash distribution systems have adopted the use of a personal identification number, hereinafter also referred to by its common acronym PIN, that must be provided by the customer in order to effect a transaction using the card.
PINs are typically short alphanumeric strings that can be easily remembered by the individual customer. It is critical for the security of the system, or at least for each particular customer's account, that the PIN not be written down in any fashion where it is accessible to someone who has stolen the card of the bank customer.
As part of the security in a typical ATM transaction system, the PIN is not stored as part of the magnetically coded information on the magnetic stripe of the account card. Therefore, so long as the customer obeys the rule of keeping no written notation of the PIN in the vicinity of the account card, such as in the customer's wallet or purse, there is no effective way for the possessor of a stolen card to illegally obtain cash from the ATM.
As the use of ATMs has grown and banks seeks to provide enhanced services to their customers, a number of ATM authorization networks have been created in the United States of America. These are normally regional networks for which multiple banks are members that are arranged in the following manner. Account maintenance computers for each member bank of the network are connected electronically to a transaction computer run by the operator of the network. This allows the network to obtain inbound access to certain parts of the customer account records for each member bank. The customers of each member bank are notified of the networks of which the bank is a member. Typically, the individual banks will also place logos or other distinctive indicia on their automatic teller machines indicating the particular networks to which its automatic teller machines are connected.
In this way, the customer of any bank that is a member of a network can quickly observe any automatic teller machine where the customer happens to be at a time when he or she is in need of cash. If the machine indicates that the bank operating same is a member of a particular network of which the customer's bank is also a member, the customer can insert the card and execute an ATM transaction at the ATM, irrespective of the identity of the particular bank that owns and operates same. This has provided widespread access to cash from individuals' bank accounts over a widespread geographic area.
The transaction processing computer operated by the network typically assembles information it receives from the ATM and passes it, normally via dedicated telephone links, to the host computer at the bank that maintains the customer's account. This includes an identification of the account, the amount involved and the particular type of transaction requested, and an encrypted representation of the personal identification number input at the ATM. The host computer at the bank then returns data to the network computer indicating whether or not the transaction is authorized. If same is authorized and it is, for example, a cash withdrawal, the account of the customer will be immediately debited at the host computer operated by that customer's bank. The network computer passes the authorization upstream allowing, in the particular example, the ATM to dispense cash to the customer.
Security considerations have led to a number of relatively stringent requirements imposed by both banks and the operators of the interbank regional networks. Since we are living in the age of computer hackers and thieves with relatively sophisticated electronic and data processing capability, most of the security requirements have been focused on the main security feature of such ATM networks, i.e., the PIN. Typically, the transaction network requires at least the following constraints on personal identification numbers. In order to prevent interception of a reproducible complete set of data identifying a bank transaction, the networks typically require that there be no transmission in the clear of a personal identification number. This leads to a requirement that the PIN somehow be encrypted at the terminal. Additionally, many networks require that all ATM or other point of sale transaction terminals connected to the network encrypt the PIN solely with a hardware encryption device in the keypad through which the PIN is entered into an ATM. In other words, it is not acceptable to accumulate the PIN in memory and then perform an algorithm operating software that encrypts same. This is done principally to prevent any unauthorized personnel from gaining access to the PINs via the telephonic connection thereto and knowledge of the operating system driving the ATMs. Thus, many network operators require a hardware encryption device be interposed between the keypad keys and any microprocessor controlling the ATM terminal equipment.
Additionally, most networks preclude storage of customer PINs either in the clear or in an encrypted form in transaction processors. Thus, the only location at which the actual PIN can be stored is in the customer account records of the bank maintaining the account, which records are on a machine that ultimately provides the authorization for any particular transaction.
While the foregoing discussion of the background of this invention has focused on automatic teller machines, because of their ubiquitous and familiar nature and their characteristic of dispensing cash, they are not the only type of device for effecting electronic funds transfer that requires the security of a PIN. Check acceptance systems have used similar arrangements at similar terminals. Additionally, there is growing use of point of sale terminals (POST) for directly debiting accounts using debit cards or ATM cards. While an immediate debit transaction is disadvantageous to the customer in that they lose the float on the credit card billing cycle, it keeps the seller involved in the transaction from having to pay the surcharge typically required by credit card companies and thus, allows them to provide their goods or services at a lower cost.
In addition to transactions through secure ATM machines and the like, significant volumes of business are transacted in the United States via telephonic placement of orders with verbal authorization for payment by a charge to a credit card account.
Mail order credit card transactions are archetypical unsecure financial transactions. Typically, a customer wishing to place an order contacts a seller by telephone. A credit card number, account name, and expiration date, all of which appear on the face of the credit card, are usually provided verbally to an order taker, together with the items ordered and information concerning shipment. Most sellers of goods that accept telephonic credit card orders will ship to an address other than the billing address associated with the credit card account. This has led to numerous problems including aggregate significant monetary losses to the credit card companies, with the purchase of goods using stolen credit cards or purloined credit card information.
Since secure terminals having hardware encryption devices are relatively expensive, and located in only a small number of locations, it is highly desirable to provide apparatus for, and a method of, making electronic funds transfers or other financial transactions from unsecured terminals that make use of the existing regional authorization networks and bank computers and records, including the use of personal identification numbers, yet provide a level of security close to or equal to that provided by the constraints imposed by typical regional banking networks in the prior art.